<?php
/*
#  Copyright (c) 2012, Gjøvik University College
#  All rights reserved.

#  Redistribution and use in source and binary forms, with or without
#  modification, are permitted provided that the following conditions are met:
#      * Redistributions of source code must retain the above copyright
#        notice, this list of conditions and the following disclaimer.
#      * Redistributions in binary form must reproduce the above copyright
#        notice, this list of conditions and the following disclaimer in the
#        documentation and/or other materials provided with the distribution.
#      * Neither the name of the Gjøvik University College nor the
#        names of its contributors may be used to endorse or promote products
#        derived from this software without specific prior written permission.
#       
#  THIS SOFTWARE IS PROVIDED BY Gjøvik University College ''AS IS'' AND ANY
#  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL Gjøvik University College BE LIABLE FOR ANY
#  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
require_once('config.php');
require_once('lib/auth_base.php');
require_once('lib/common_functions.php');
require_once('lib/db_functions.php');
require_once('lib/domain_functions.php');

$config = get_config();

$config['sql_link'] = @mysql_connect( 
	$config['sql_server'],
	$config['sql_username'],
	$config['sql_password']
);
if ( !$config['sql_link'] )
{
	print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.'));
	exit;
}

//*************************************************************************************	
if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logout" ) )
{
	switch ( $_SERVER['PATH_INFO'] )
	{
		case "/login":
			// Allow login using username and password, or API key.
			// On successful login, a named session should be started,
			// some data related to the session should be stored,
			// and the name of the session provided to the user
			// in the result.
			$type = false;
			$authid = false;

			if ( array_key_exists('username', $_POST) 
				&& array_key_exists('password', $_POST) )
			{
				if ( 1 == authuser_verify( sql_clean($_POST['username']), sql_clean($_POST['password'])))
				{
					$type = "user";
					$authid = $_POST['username'];
				}
				else
				{
					print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
					exit;
				}
			}
			else if ( array_key_exists('api_key', $_POST) )
			{
				if ( verify_apikey( sql_clean( $_POST['api_key'] ) ) == 1 )
				{
					$type = "key";
					$authid = $_POST['api_key'];
				}
				else
				{
					print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
					exit;
				}
			}
			else
			{
				print json_encode ( array( 'response' => 'invalid') );
				break;	
			}
			$session_name = set_credentials( $authid, $type );
			$auth_key = update_authkey( $session_name, $authid );
			print json_encode( array( 'response' => 'ok', 'session' => $session_name, 'auth_key' => $auth_key ));
			break;
		case "/logout":
			// De-authenticate/deauthorize the ongoing session.
			// I.e. destroy session data, remove session cookies.
			$session_name = "";
			if ( array_key_exists('session', $_POST ) )
				$session_name = $_POST['session'];
			session_name($session_name);
			session_start();
			clear_credentials($session_name);

			if ( $_SESSION )
				print json_encode ( array( 'response' => 'wtffailed?') );
			else
				print json_encode ( array( 'response' => 'ok') );
			break;
		default:
			print json_encode ( array( 'response' => 'invalid') );
	}
}
else
{
	token_auth();

	switch ( $_SERVER['PATH_INFO'] )
	{
		case "/ping":
			// API clients are required to periodically ping the server
			// The time between pings (interval) is 5 minutes?
			// A ping call refreshes cookie lifetimes, then
			// generates and stores a new auth_key
			// The ping required a valid session...
			// A successful ping returns a 'response' => 'pong'
			// along with the new auth_key.
			$session_name = $_POST['session'];
			$authid = $_SESSION['authid'];
			$auth_key = update_authkey( $session_name, $authid );
			print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
			break;
		case "/new_apikey":
			// If the current authorization has write access, create
			// a new API key with requested access (ro/rw).
			if ( ! can_write() )
				simple_authfail();

			if ( array_key_exists('host_ip', $_POST )
				&& array_key_exists('access', $_POST ))
			{
				$host = $_POST['host_ip'];
				$access = $_POST['access'];

				if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
				{
					print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
					break;	
				}
				$level = authlevel_value( $access );
				$key = add_apikey( $host, $level );
				if ( ! $key )
				{
					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
					break;
				}
				print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( get_authorization( "key", $key ) ) ) );
				break;
			}
			else print json_encode ( array( 'response' => 'invalid') );
			break;	
		case "/remove_apikey":
			// If the current authorization has write access,
			// remove the given API key.
			if ( ! can_write() )
				simple_authfail();

			if ( array_key_exists('api_key', $_POST ) )
			{
				$key = sql_clean( $_POST['api_key'] );
				// Perform a key-verification, skipping host/remote-address check.
				if ( ! verify_apikey( $key, true ) )
				{
					print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
					break;
				}
				if ( ! remove_apikey( $key ) )
				{
					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
					break;
				}
				print json_encode( array( 'response' => 'ok', 'key' => $key ) );
				break;
			}
			else print json_encode ( array( 'response' => 'invalid') );
			break;	
		case "/list_apikeys":
			// List valid API keys.
			// Fail is current authorization does not have write access.
			if ( ! can_write() )
				simple_authfail();
			$list = list_apikeys();
			print json_encode( array( 'response' => 'ok', 'list' => $list ) );
			break;
		case "/authorize_user":
			// Add or update a valid back-end user in authorization
			// if the current authentication has write access.
			// Since the user exists in backend, the only
			// needed parameters should be username and access level
			// If the authorization does not exist, add it.
			// If the user is already authorized, replace access level.
			if ( ! can_write() )
				simple_authfail();

			if ( array_key_exists('username', $_POST )
				&& array_key_exists('access', $_POST ))
			{
				$user = $_POST['username'];
				$access = $_POST['access'];
				$level = authlevel_value( $access );

				if ( ! $level )
				{
					print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
					break;	
				}
				if ( ! authuser_getinfo( $user ) )
				{
					print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
					break;
				}

				if ( ! update_authorization( "user", $user, $level ) )
				{
					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
					break;
				}

				print json_encode( array( 'response' => 'ok', 'user' => $user, 'access' => authlevel_name( get_authorization( "user", $user ) ) ) );
				break;
			}
			else print json_encode ( array( 'response' => 'invalid') );
			break;	

		case "/remove_user":
			// If the current authentication has write access:
			// Remove authorization for the given users.
			// Delete user from backend if backend is read-write.
			if ( ! can_write() )
				simple_authfail();

			if ( array_key_exists('username', $_POST ))
			{
				$user = $_POST['username'];

				$t_level = get_authorization( "user", $user ); 

				if ( $t_level && ! remove_authorization( $user ) )
				{
					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
					break;
				}
				if ( ! authmethod_readonly() )
				{
					if ( !authuser_getinfo( $user ) )
					{
						print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
						break;
					}
					if ( !authuser_delete( $user ) )
					{
						print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
						break;
					}
				}

				print json_encode( array( 'response' => 'ok', 'user' => $user ) );
				break;
			}
			else print json_encode ( array( 'response' => 'invalid') );
			break;	

		case "/list_users":
			// List valid API user-acounts.
			// Fail with notauthorized if current authentication
			// does not have write access.
			// Should not return users from backend, 
			// but should only return users with authorization.
			if ( ! can_write() )
				simple_authfail();
			$list = list_authusers();
			print json_encode( array( 'response' => 'ok', 'list' => $list ) );
			break;

		case "/add_user":
			// Add user to backend if backend is read-write and
			// the current authentication has write access.
			// The created user should be added to authorizations
			// with an access level of "limited_read (1)"
		case "/update_user":
			// Update the given user in the backend, if the backend
			// is read-write, and the current authentication has
			// write access.
			print json_encode ( array( 'response' => 'notimplemented') );
			break;
		default:
			print json_encode ( array( 'response' => 'invalid') );
	}
}
//*************************************************************************************	
mysql_close( $config['sql_link'] );
?>